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Executive Summary 


e Cloudflare was built to help you and your end users 
be more secure on the Internet. We are a privacy-first 
company, and our network and all of our products are 
built with data protection in mind. 


e Cloudflare maintains a broad set of legal and 
contractual protections that comply with Japan’s Act 
on the Protection of Personal Information (“APPI”). 


e Cloudflare offers product features and technical n 
protections for Cloudflare customers who do not want 
their data to leave Japan. | 
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Cloudflare’s unique global cloud network consists of data centers in over 275 cities across more than 100 countries. 
Cloudflare provides you with tools to manage how your data is routed through these data centers so you can 
customize where your traffic is inspected in ways that meet your security, privacy, and performance needs. 


About Cloudflare 


Cloudflare’s mission is to help build a better Internet. We provide a global cloud platform that 
delivers a broad range of network services to individuals and businesses of all sizes around 
the world. Cloudflare’s network and growing portfolio of products improve the security, 
privacy, performance, and reliability of anything that is connected to the Internet. In addition 
to serving our customers, Cloudflare’s mission is also to help make the Internet itself better 
— always on, always fast, always secure, always private, and available to everyone. 


Cloudflare’s network, developer community, and business are all ultimately built on customer 
trust. We seek to continually earn and maintain customer trust by being clear about our 
commitments to data privacy and how we manage customer and end user data on our 
systems. We also build trust by building and deploying products that (i) help improve the 
security of our systems, (ii) encrypt data at rest or in transit, and (iii) allow our customers 

to determine how traffic is inspected in different locations around the world. Finally, we 

earn customer trust by securing and maintaining industry-defined certifications (e.g. ISO 
27001 and 27701, SSAE 18, and SOC 2 Type II) and providing contracting mechanisms (e.g. 


Data Processing Agreements) that communicate our shared responsibility model with our 
customers in ensuring privacy. 
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Cloudflare in Japan 


Today, millions of global Internet properties use Cloudflare. This list includes many 
organizations in Japan across a variety of fields, including Internet Initiative Japan, 
Waseda University, IDOM, OZ International, and Trust Bank. As companies and 
organizations of all sizes rely more on the Internet as a critical platform to serve their 
customers, users, and stakeholders, they are rapidly adopting secure and reliable cloud 
networks like Cloudflare to help protect their Internet-facing applications, infrastructure, 
and people from threats of all kinds. 


We recognize that data protection in Japan presents unique challenges. Japan has a 
comprehensive privacy regulation in the form of Japan’s Act on the Protection of Personal 
Information (“APPI”). 


Cloudflare’s Internet platform is built to support Japan’s most privacy-conscious and 
regulated industries, including financial services, telecommunications, IT/digital, and 
healthcare. At Cloudflare, we build our products to meet the highest standards of security 
and user privacy, and we partner closely with each of our Japanese customers to help 
them meet data protection obligations associated with their specific location and industry 
segment. We accomplish this through a variety of avenues, including: 


e Our overarching corporate commitment to privacy 
e Maintaining global security and privacy certifications 
e Maintaining an APPl-compliant data transfer mechanism 


e Offering product features which support data localisation 


This paper explains those avenues in detail. 


Cloudflare’s unique corporate commitment to privacy 


Cloudflare was built to help you and your customers be more secure on the Internet. We 
are a privacy-first company, and our network and all of our products are built with data 
protection in mind. We commit in our Privacy Policy that we will not sell personal data we 
process on your behalf or use it for any purpose other than to provide our services to you. 
Throughout our history, we’ve never violated this promise. In fact, our privacy stance was 
defined long before governments started regulating privacy in ways that forced many 
other technology companies to update their practices in order to appropriately prioritize 
customer and user privacy. We do not generate revenue from advertising — or profile our 
customers’ end users or end-user data for any purpose — and thus default against the 
collection and retention of personal data we process on your behalf. 


Below are some of the privacy commitments we make that differentiate us from many 
other cloud services providers: 


e Cloudflare does not sell personal data. 


e Cloudflare does not track our customers’ end users across Internet properties. 
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e Cloudflare does not profile our customers’ end users to sell advertisements. 


e Cloudflare only retains personal data as necessary to provide Cloudflare offerings 
to our customers. 


e Cloudflare has never provided to any third party or government our customers’ 
encryption keys or a feed of customer content transiting our network, and we have a 
longstanding commitment that we would exhaust all legal remedies before complying 
with such a request. 


e Cloudflare has publicly committed that we will pursue legal remedies to contest any 
U.S. government request for data that we identify as being subject to data protection 
laws that may create a conflict of interest. 


e Cloudflare’s policy is to notify our customers of any legal process requesting their 
information before disclosure of that information, unless legally prohibited. 


Cloudflare’s global security certifications 


Cloudflare meets industry-leading standards for security and privacy, and validates those 
commitments with third party auditors on an annual basis. 


Cloudflare has been certified to a new international privacy standard for protecting and 
managing the processing of personal data — ISO/IEC 27701:2019. This standard is less 
than two years old, and adapts the existing Information Security Management System 
concept into the creation of a Privacy Information Management System (PIMS). There 

are requirements to make sure this privacy management system is robust and is also 
continually improving to meet its defined objectives. The standard is designed such that 
the requirements organizations must meet to become certified are very closely aligned to 
the requirements in Europe’s General Data Protection Regulation (GDPR). 


Put simply, the ISO 27701 certification provides assurance to our customers that we have a 
privacy program that has been assessed by a third party to meet an international industry 
standard aligned to one of the most comprehensive data protection regimes worldwide, 
and that requires us to keep our privacy program under continuous compliance. This 
certification, in addition to the Data Processing Addendum (DPA) we make available to 

our customers in the dashboard, offers our customers multiple layers of assurance that 
any personal data that Cloudflare processes will be handled in a way that meets the 
comprehensive data protection requirements, including those set out by the APPI. 


In addition, Cloudflare is compliant with ISO 27001/27002, Payment Card Industry Data 
Security Standards (PCI DSS), and SSAE 18 SOC 2 Type Il. These validations provide 
assurance to organizations who transfer their most sensitive data through our services, 
and also help them meet and maintain their own compliance obligations. 
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Because we Care about data protection, we do not just audit where we are required to 

do so by law or where certifications are available. Our security team performs rigorous 
internal and external penetration tests, we operate a bug bounty program through 
HackerOne, and we retain third-party auditors to validate our privacy commitments. 
Examples include our privacy-focused audits, like one we conducted in relation to our 
commitments for our 1.1.1.1 public DNS resolver. We are always open to obtaining additional 
validations that will provide assurance into our privacy program, policies, and practices for 
processing and storing personal data. 


The data Cloudflare processes 


Cloudflare processes the log data of our customers’ end users when those end users 
access our services in line with our customers’ authorization. This log data may include 
but is not limited to IP addresses, system configuration information, and other information 
about traffic to and from our customers’ websites, devices, applications, and/or networks. 
In addition, Cloudflare collects and stores server and network activity data and logs in the 
course of operating our products, and makes observations and analysis of traffic data. 
Our Privacy Policy more specifically describes the information we collect and how we use 
collected information. 


When we do collect and store data from activity on our network, we do so only to 

make our products better for you, for our other customers, or for the broader Internet 
community. We do not seek to monetize this data in any way we think would surprise you. 
For example, we may temporarily store and analyze network traffic data from all of our 
global customers so that we can intelligently route requests through the most efficient 
Internet paths. We may also store and analyze network data to detect and identify 
emerging threat vectors we can immediately use to improve our security tools. Finally, we 
may aggregate network data from significantly large customer segments (but never from 
individually identifiable users or customers) to help the Internet community understand 
trends and threats across the Internet (see Cloudflare Radar). 


Cloudflare’s data transfer mechanisms 


In the event that Cloudflare, as a data processor, transfers personal data outside Japan, 
we do so under our standard Data Processing Agreement (DPA), which is incorporated into 
our Enterprise Service Agreement as well as our Self Serve Subscription Agreement. Our 
DPA is a standard equivalent to permit cross-border transfers under the APPI. You can find 
more information about our commitment to the APPI and about our DPA here. 
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Importantly, in our DPA we commit that we will pursue legal remedies to contest any 
U.S. government request for data that we identify as being subject to the laws of 

another jurisdiction, such as Japan, and we commit to notifying our customers of any 
legal process requesting their information before disclosure of that information, unless 
legally prohibited. You can view the additional safeguards we have added as contractual 
commitments in section 7 of our DPA. 


Data protection regulations and guidelines are ever-evolving, and we closely monitor 
the regulatory and legislative landscape. We continually look ahead at emerging 
guidance to ensure that our customers and partners can continue to enjoy the benefits 
of Cloudflare in Japan. 


For customers who need to ensure that Cloudflare is not transferring any personal data, 
we offer a set of technical measures known as the Data Localization Suite. 


Cloudflare product features designed to support data localisation 


Cloudflare is committed to helping our customers keep personal data in Japan. 
We offer a Data Localization Suite, which gives customers control over where their data is 
inspected and stored. 


Our Data Localization Suite has the following elements: 


e Encryption Key Management (Geo Key Manager and Keyless SSL) 


e Payload Inspection Boundary (Regional Services) 


Encryption Key Management: 


Data privacy is not possible without Internet security, which is provided in large part by 
effective encryption. 


Encryption of data transmitted over a network requires the use of encryption keys, or sets 
of mathematical values that both the sender and the recipient of an encrypted message 
know. SSL/TLS, a cryptographic protocol which makes encrypted communication possible, 
uses a pair of keys — a public key and a private key. 
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Cloudflare customers may choose to use two features to ensure that their private keys do 
not leave Japan: 


Keyless SSL allows customers to store and manage their own private keys for use with 
Cloudflare. Customers can use a variety of systems for their keystore, including hardware 
security modules (“HSMs”), virtual servers, and hardware running Unix/Linux and Windows 
housed in environments customers control. Keyless SSL is only keyless from Cloudflare’s 
point of view: Cloudflare never sees the customer’s private key, but the customer still has 
and uses it. Meanwhile, the public key is still used on the client side like normal. 


Geo Key Manager provides customers with granular control over the data centers in which 
their private keys are stored. For example, 

a customer can choose for the private keys to only be accessible inside data centers 
located in Japan. This approach frees customers from the complexity of deploying Keyless 
SSL and maintaining their own keystore. 


Payload Inspection Boundary: 


Cloudflare offers the most secure and highest performance network-as-a-service 
products because we proxy all of your traffic from the edge of our network. As an 
authorized proxy of your traffic, our services securely inspect your traffic to identify 
security threats and route it from any location across our global network. Cloudflare is 
one of the only cloud providers architected as a unified global platform that can also be 
configured to serve specific regional requirements. This architecture gives Cloudflare 
customers complete control over where and how traffic is inspected. 


Cloudflare’s Regional Services lets customers choose where in the Cloudflare network 
their TLS connections are terminated. For example, a customer could choose to have said 
connections terminate in Japan, so decryption and inspection of the content of HTTP 
traffic happens only inside Japan. This restriction applies to all of our edge “application 
services,” including: 

e Storing and retrieving content from cache 

e Blocking malicious HTTP payloads with the Web Application Firewall (WAF) 

e Detecting and blocking suspicious activity with Bot Management 


e Running Workers scripts 
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A hypothetical use case would be a Cloudflare customer in Japan enabling Regional 
Services to limit servicing to Japan. Their end-user clients will connect to the nearest 
Cloudflare location anywhere in the world, but if that location is outside Japan, the traffic 
is passed to a Cloudflare Japan location before it is inspected. The customer still receives 
the benefit of our global, low-latency, high-throughput network, which is capable of 


withstanding even the largest DDoS attacks. 


However, Regional Services also gives customers local control. Only data centers inside 
Japan will have the access necessary to apply security policies. This approach allows 
Cloudflare to select the fastest route to Japan and the closest available point of 


presence for processing. 


Gisssicosscecsosecascs 
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Shared opportunities and responsibilities 


Because we know Japanese organizations need to integrate privacy and security 
principles into every aspect of their business, we have prepared this chart to make it easy 
to understand who is responsible for these commonly requested privacy requirements: 


Principle 


Data protection 
by design 


Responsibility 


Shared 


Responsibility Details 


Cloudflare is responsible for delivering products and services with 
privacy in mind. The privacy team provides reviews, assessments, and 
training to ensure that privacy is instilled in the way we work. 


Customers are responsible for their usage and configuration of 
their Cloudflare services, and should periodically review their use 
and configuration of these services to validate that data protection 
principles have been considered in the design and implementation. 


Subject access 
request 


Shared 


Cloudflare provides data subjects with the right of access, correction, 
and deletion of personal information regardless of their jurisdiction of 
residence. Data subject requests may be sent to sar@cloudflare.com. 


If we receive a request from someone who appears to be an end user 
of one of our customers, we will direct that person to contact our 
customer directly. 


Adequate 
security 


Shared 


Cloudflare maintains a security program in accordance with industry 
standards. The security program includes maintaining formal security 
policies and procedures, establishing proper logical and physical 
access controls, implementing technical safeguards in corporate and 
production environments (including establishing secure configurations, 
secure transmission and connections, logging, and monitoring), and 
having adequate encryption technologies for personal data. 


Customers are responsible for reviewing the security posture of 

their cloud providers like Cloudflare, and can do so by reviewing our 
compliance validations and reports. We also encourage our customers 
to review their Dashboard security settings to ensure they adhere to 
their security policies 

and procedures. 


Personal data 
breaches 


Shared 


Cloudflare will notify customers as soon as we become aware of any 
breach of security leading to the loss, unauthorized disclosure of, or 
access to, personal data processed by Cloudflare or its sub-processors. 
Cloudflare is also responsible for providing our customers with 
reasonable cooperation and assistance in light of the breach, including 
providing customers with reasonable information in Cloudflare’s 
possession concerning the circumstances of the breach and the 
personal data impacted. 


Customers are responsible for complying with regulatory or contractual 
requirements to notify their end users and/or government authorities of 
any personal data breach. 
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A global cloud network built on customer trust 


Cloudflare’s first priority is to earn and maintain customer trust. We understand that 
transparency into Cloudflare’s privacy commitments — and into our approach for building 
data locality and privacy safeguards into our network and products — helps customers 
meet their own obligations. We also understand that Cloudflare’s industry certifications 
and well-designed contracting mechanisms help us create a strong relationship of trust 
with our Japanese customers. 


Cloudflare’s privacy and security teams are here to partner with you to address the 

most stringent requirements you may face in your country, region, or industry. Our 
knowledgeable Account Executives, Customer Success Managers, and Sales Engineers 
partner regularly with our privacy and security compliance teams to help our customers 
configure the Cloudflare products they use to meet their specific compliance obligations. 


If you would like a demonstration or specialized session on configuration of your 
services to meet your unique obligations, contact us today. Please email us at 


privacyquestions@cloudflare.com or security@cloudflare.com. 
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